This is our old Q&A Site. Please post any new questions and answers at

With tcpdump if I want to capture all TCP connection attempts (whether successful or not) I use the following capture filter: tcp[tcpflags] & (tcp-syn) != 0 and if I want capture the start and end packetes (The SYN and FIN packets) of each TCP conversation that involves a non-local host I use: tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet How can I do these examples using Wireshark GUI (Creating capture filters)? Thanks in advance!

This question is marked "community wiki".

asked 08 Mar '13, 10:30

zig69's gravatar image

accept rate: 0%

edited 08 Mar '13, 10:32

Assuming you're running Wireshark 1.8.x, you can open the capture options and double click on the interface you want to capture on. This will open another dialog where you can specify the capture filter.

On older versions, you'll see the capture filter input field right after opening the capture options dialog.

permanent link

answered 08 Mar '13, 10:34

Jasper's gravatar image

Jasper ♦♦
accept rate: 18%

Thanks for your answer, but I already knew that, is trivial! I meant how to create the filters (syntax) for doing the same thing that I do with tcpdump...

(08 Mar '13, 11:12) zig69

Not sure what you're aiming at, but THAT capture filter box takes tcpdump syntax... just put it in there, just as you would for tcpdump. Did you ever try? It's trivial! ;-)

(08 Mar '13, 13:59) Jasper ♦♦

Yes, It's trivial but does not work! The filter: tcp[tcpflags] & (tcp-syn) != 0 works well but when I add the expression "and not src and dst net localnet" the capture filter field appears in red color and does not work (Of course) :-(

(11 Mar '13, 10:42) zig69

Wireshark does not know the term localnet

(11 Mar '13, 23:52) Kurt Knochner ♦

localnet is not a libpcap keyword, it is looked up by your system in /etc/networks. Even though you can add an entry to /etc/networks, it does not seem to be CIDR compatible, so if you are on a network that is not classfull, you will be out of luck anyway.

See also:

You will have to contruct the network address for your network yourself and can then use it like this (for

tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net
permanent link

answered 15 Mar '13, 04:57

SYN-bit's gravatar image

SYN-bit ♦♦
accept rate: 20%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 08 Mar '13, 10:30

question was seen: 8,447 times

last updated: 15 Mar '13, 04:57

p​o​w​e​r​e​d by O​S​Q​A